<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-type" content="text/html; charset=iso-8859-1">
<title>Securing Containers - The Java EE 5 Tutorial</title>
<meta name="robots" content="index,follow">
<meta name="robots" content="index,follow">
<meta name="date" content="2008-10-01">
<link rel="stylesheet" type="text/css" href="css/default.css">
<link rel="stylesheet" type="text/css" href="css/ipg.css">
<link rel="stylesheet" type="text/css" href="css/j5eetutorial.css">
</head>

<body>

<table border="0" cellpadding="5" cellspacing="0" width="100%">
<tbody>
   <tr valign="top">
      <td><p class="toc level1"><a href="docinfo.html">Document Information</a></p>
<p class="toc level1 tocsp"><a href="gexaf.html">Preface</a></p>
<p class="toc level1 tocsp"><a href="gfirp.html">Part&nbsp;I&nbsp;Introduction</a></p>
<p class="toc level2"><a href="bnaaw.html">1.&nbsp;&nbsp;Overview</a></p>
<p class="toc level2"><a href="gfiud.html">2.&nbsp;&nbsp;Using the Tutorial Examples</a></p>
<p class="toc level1 tocsp"><a href="bnadp.html">Part&nbsp;II&nbsp;The Web Tier</a></p>
<p class="toc level2"><a href="bnadr.html">3.&nbsp;&nbsp;Getting Started with Web Applications</a></p>
<p class="toc level2"><a href="bnafd.html">4.&nbsp;&nbsp;Java Servlet Technology</a></p>
<p class="toc level2"><a href="bnagx.html">5.&nbsp;&nbsp;JavaServer Pages Technology</a></p>
<p class="toc level2"><a href="bnajo.html">6.&nbsp;&nbsp;JavaServer Pages Documents</a></p>
<p class="toc level2"><a href="bnakc.html">7.&nbsp;&nbsp;JavaServer Pages Standard Tag Library</a></p>
<p class="toc level2"><a href="bnalj.html">8.&nbsp;&nbsp;Custom Tags in JSP Pages</a></p>
<p class="toc level2"><a href="bnaon.html">9.&nbsp;&nbsp;Scripting in JSP Pages</a></p>
<p class="toc level2"><a href="bnaph.html">10.&nbsp;&nbsp;JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="bnaqz.html">11.&nbsp;&nbsp;Using JavaServer Faces Technology in JSP Pages</a></p>
<p class="toc level2"><a href="bnatx.html">12.&nbsp;&nbsp;Developing with JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="bnavg.html">13.&nbsp;&nbsp;Creating Custom UI Components</a></p>
<p class="toc level2"><a href="bnawo.html">14.&nbsp;&nbsp;Configuring JavaServer Faces Applications</a></p>
<p class="toc level2"><a href="bnaxu.html">15.&nbsp;&nbsp;Internationalizing and Localizing Web Applications</a></p>
<p class="toc level1 tocsp"><a href="bnayk.html">Part&nbsp;III&nbsp;Web Services</a></p>
<p class="toc level2"><a href="bnayl.html">16.&nbsp;&nbsp;Building Web Services with JAX-WS</a></p>
<p class="toc level2"><a href="bnazf.html">17.&nbsp;&nbsp;Binding between XML Schema and Java Classes</a></p>
<p class="toc level2"><a href="bnbdv.html">18.&nbsp;&nbsp;Streaming API for XML</a></p>
<p class="toc level2"><a href="bnbhf.html">19.&nbsp;&nbsp;SOAP with Attachments API for Java</a></p>
<p class="toc level1 tocsp"><a href="bnblr.html">Part&nbsp;IV&nbsp;Enterprise Beans</a></p>
<p class="toc level2"><a href="bnbls.html">20.&nbsp;&nbsp;Enterprise Beans</a></p>
<p class="toc level2"><a href="bnbnb.html">21.&nbsp;&nbsp;Getting Started with Enterprise Beans</a></p>
<p class="toc level2"><a href="bnboc.html">22.&nbsp;&nbsp;Session Bean Examples</a></p>
<p class="toc level2"><a href="bnbpk.html">23.&nbsp;&nbsp;A Message-Driven Bean Example</a></p>
<p class="toc level1 tocsp"><a href="bnbpy.html">Part&nbsp;V&nbsp;Persistence</a></p>
<p class="toc level2"><a href="bnbpz.html">24.&nbsp;&nbsp;Introduction to the Java Persistence API</a></p>
<p class="toc level2"><a href="bnbrl.html">25.&nbsp;&nbsp;Persistence in the Web Tier</a></p>
<p class="toc level2"><a href="bnbrs.html">26.&nbsp;&nbsp;Persistence in the EJB Tier</a></p>
<p class="toc level2"><a href="bnbtg.html">27.&nbsp;&nbsp;The Java Persistence Query Language</a></p>
<p class="toc level1 tocsp"><a href="bnbwi.html">Part&nbsp;VI&nbsp;Services</a></p>
<p class="toc level2"><a href="bnbwj.html">28.&nbsp;&nbsp;Introduction to Security in the Java EE Platform</a></p>
<p class="toc level3"><a href="bnbwk.html">Overview of Java EE Security</a></p>
<p class="toc level4"><a href="bnbwk.html#bnbwl">A Simple Security Example</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbwm">Step 1: Initial Request</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbwo">Step 2: Initial Authentication</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbwq">Step 3: URL Authorization</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbws">Step 4: Fulfilling the Original Request</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbwu">Step 5: Invoking Enterprise Bean Business Methods</a></p>
<p class="toc level4 tocsp"><a href="bnbwk.html#bnbww">Security Functions</a></p>
<p class="toc level4"><a href="bnbwk.html#bnbwx">Characteristics of Application Security</a></p>
<p class="toc level3 tocsp"><a href="bnbwy.html">Security Implementation Mechanisms</a></p>
<p class="toc level4"><a href="bnbwy.html#bnbwz">Java SE Security Implementation Mechanisms</a></p>
<p class="toc level4"><a href="bnbwy.html#bnbxa">Java EE Security Implementation Mechanisms</a></p>
<p class="toc level5"><a href="bnbwy.html#bnbxb">Application-Layer Security</a></p>
<p class="toc level5"><a href="bnbwy.html#bnbxc">Transport-Layer Security</a></p>
<p class="toc level5"><a href="bnbwy.html#bnbxd">Message-Layer Security</a></p>
<div class="onpage">
<p class="toc level3 tocsp"><a href="">Securing Containers</a></p>
<p class="toc level4"><a href="#bnbxf">Using Deployment Descriptors for Declarative Security</a></p>
<p class="toc level4"><a href="#bnbxg">Using Annotations</a></p>
<p class="toc level4"><a href="#bnbxh">Using Programmatic Security</a></p>
</div>
<p class="toc level3 tocsp"><a href="bnbxi.html">Securing the Application Server</a></p>
<p class="toc level3"><a href="bnbxj.html">Working with Realms, Users, Groups, and Roles</a></p>
<p class="toc level4"><a href="bnbxj.html#bnbxk">What Are Realms, Users, Groups, and Roles?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxm">What Is a Realm?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxn">What Is a User?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxo">What Is a Group?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxp">What Is a Role?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxq">Some Other Terminology</a></p>
<p class="toc level4 tocsp"><a href="bnbxj.html#bnbxr">Managing Users and Groups on the Application Server</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxs">Adding Users to the Application Server</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxt">Adding Users to the Certificate Realm</a></p>
<p class="toc level4 tocsp"><a href="bnbxj.html#bnbxu">Setting Up Security Roles</a></p>
<p class="toc level4"><a href="bnbxj.html#bnbxv">Mapping Roles to Users and Groups</a></p>
<p class="toc level3 tocsp"><a href="bnbxw.html">Establishing a Secure Connection Using SSL</a></p>
<p class="toc level4"><a href="bnbxw.html#bnbxx">Installing and Configuring SSL Support</a></p>
<p class="toc level4"><a href="bnbxw.html#bnbxy">Specifying a Secure Connection in Your Application Deployment Descriptor</a></p>
<p class="toc level4"><a href="bnbxw.html#bnbxz">Verifying SSL Support</a></p>
<p class="toc level5"><a href="bnbxw.html#bnbya">Tips on Running SSL</a></p>
<p class="toc level4 tocsp"><a href="bnbxw.html#bnbyb">Working with Digital Certificates</a></p>
<p class="toc level5"><a href="bnbxw.html#bnbyc">Creating a Server Certificate</a></p>
<p class="toc level5"><a href="bnbxw.html#bnbyd">Signing Digital Certificates</a></p>
<p class="toc level5"><a href="bnbxw.html#bnbyf">Using a Different Server Certificate with the Application Server</a></p>
<p class="toc level5"><a href="bnbxw.html#bnbyg">Miscellaneous Commands for Certificates</a></p>
<p class="toc level4 tocsp"><a href="bnbxw.html#bnbyh">Enabling Mutual Authentication over SSL</a></p>
<p class="toc level5"><a href="bnbxw.html#bnbyi">Creating a Client Certificate for Mutual Authentication</a></p>
<p class="toc level3 tocsp"><a href="bnbyj.html">Further Information about Security</a></p>
<p class="toc level2 tocsp"><a href="bnbyk.html">29.&nbsp;&nbsp;Securing Java EE Applications</a></p>
<p class="toc level2"><a href="bncas.html">30.&nbsp;&nbsp;Securing Web Applications</a></p>
<p class="toc level2"><a href="bncdq.html">31.&nbsp;&nbsp;The Java Message Service API</a></p>
<p class="toc level2"><a href="bncgv.html">32.&nbsp;&nbsp;Java EE Examples Using the JMS API</a></p>
<p class="toc level2"><a href="bncih.html">33.&nbsp;&nbsp;Transactions</a></p>
<p class="toc level2"><a href="bncjh.html">34.&nbsp;&nbsp;Resource Connections</a></p>
<p class="toc level2"><a href="bncjx.html">35.&nbsp;&nbsp;Connector Architecture</a></p>
<p class="toc level1 tocsp"><a href="bnckn.html">Part&nbsp;VII&nbsp;Case Studies</a></p>
<p class="toc level2"><a href="bncko.html">36.&nbsp;&nbsp;The Coffee Break Application</a></p>
<p class="toc level2"><a href="bnclz.html">37.&nbsp;&nbsp;The Duke's Bank Application</a></p>
<p class="toc level1 tocsp"><a href="gexbq.html">Part&nbsp;VIII&nbsp;Appendixes</a></p>
<p class="toc level2"><a href="bncno.html">A.&nbsp;&nbsp;Java Encoding Schemes</a></p>
<p class="toc level2"><a href="bncnq.html">B.&nbsp;&nbsp;Preparation for Java EE Certification Exams</a></p>
<p class="toc level2"><a href="bncnt.html">C.&nbsp;&nbsp;About the Authors</a></p>
<p class="toc level1 tocsp"><a href="idx-1.html">Index</a></p>
</td>
      <td width="10px">&nbsp;</td>
      <td width="705px">
         <div class="header">
             <div class="header-links-top">
                 <a href="http://java.sun.com">java.sun.com</a> |
                 <a href="http://docs.sun.com/">docs.sun.com</a><br>
             </div> 
             <img src="graphics/tutorialBanner.gif" width="704" height="120" alt="The Java&trade; EE 5 Tutorial"/>
             <div class="header-links">
	         <a href="index.html">Home</a> |
                 <a href="http://java.sun.com/javaee/5/docs/tutorial/information/download.html">Download</a> |
                 <a href="http://java.sun.com/javaee/5/docs/tutorial/doc/JavaEETutorial.pdf">PDF</a> |
                 <a href="http://java.sun.com/javaee/5/docs/api/index.html">API</a> |
                 <a href="http://java.sun.com/javaee/5/docs/tutorial/information/faq.html">FAQ</a> |
                 <a href="http://java.sun.com/javaee/5/docs/tutorial/information/search.html">Search</a> |
                 <a href="http://java.sun.com/javaee/5/docs/tutorial/information/sendusmail.html">Feedback</a> |
                 <a href="http://java.sun.com/javaee/5/docs/tutorial/information/history.html">History</a>
             </div>
             <div class="navigation">
                 <a href="bnbwy.html"><img style="padding-right: 3px" src="graphics/leftButton.gif" border="0"></a>
                 <a href="sjsaseej2eet.html"><img style="padding-right: 3px" src="graphics/upButton.gif" border="0"></a>
                 <a href="bnbxi.html"><img style="padding-left: 3px" src="graphics/rightButton.gif" border="0"></a>
             </div>
         </div>

	 <div class="maincontent">      	 
             

<a name="bnbxe"></a><h3>Securing Containers</h3>
<a name="indexterm-2442"></a><a name="indexterm-2443"></a><p>In Java EE, the component containers are responsible for providing application security. A
container provides two types of security: declarative and programmatic. The following sections discuss
these concepts in more detail.</p>

<a name="bnbxf"></a><h4>Using Deployment Descriptors for Declarative Security</h4>
<a name="indexterm-2444"></a><a name="indexterm-2445"></a><a name="indexterm-2446"></a><p>Declarative security expresses an application component&rsquo;s security requirements using <b>deployment descriptors</b>. A deployment descriptor is
an XML document with an <tt>.xml</tt> extension that describes the deployment settings of
an application, a module, or a component. Because deployment descriptor information is declarative,
it can be changed without the need to modify the source code. At
runtime, the Java EE server reads the deployment descriptor and acts upon the
application, module, or component accordingly.</p><p>This tutorial does not document how to write the deployment descriptors from scratch,
only what configurations each example requires its deployment descriptors to define. For help
with writing deployment descriptors, you can view the provided deployment descriptors in a
text editor. Each example&rsquo;s deployment descriptors are stored at the top layer of
each example&rsquo;s directory. Another way to learn how to write deployment descriptors is
to read the specification in which the deployment descriptor elements are defined.</p><p>Deployment descriptors must provide certain structural information for each component if this information
has not been provided in annotations or is not to be defaulted.</p><p>Different types of components use different formats, or <b>schema</b>, for their deployment descriptors.
The security elements of deployment descriptors which are discussed in this tutorial include
the following:</p>
<ul><li><p><a name="indexterm-2447"></a>Enterprise JavaBeans components use an EJB deployment descriptor that must be named <tt>META-INF/ejb-jar.xml</tt> and must be contained in the EJB JAR file.</p><p>The schema for enterprise bean deployment descriptors is provided in the EJB 3.0 Specification (JSR-220), Chapter 18.5, <i>Deployment Descriptor XML Schema</i>, which can be downloaded from <a href="http://jcp.org/en/jsr/detail?id=220">http://jcp.org/en/jsr/detail?id=220</a>.</p><p>Security elements for EJB deployment descriptors are discussed in this tutorial in the section <a href="bnbyl.html#bnbze">Using Enterprise Bean Security Deployment Descriptor Elements</a>.</p></li>
<li><p><a name="indexterm-2448"></a>Web Services components use a <tt>jaxrpc-mapping-info</tt> deployment descriptor defined in JSR 109. This deployment descriptor provides deployment-time mapping functionality between Java and WSDL. In conjunction with JSR 181, JAX-WS 2.0 complements this mapping functionality with development-time Java annotations that control mapping between Java and WSDL.</p><p>The schema for web services deployment descriptors is provided in Web Services for Java EE (JSR-109), section 7.1, <i>Web Services Deployment Descriptor XML Schema</i>, which can be downloaded from <a href="http://jcp.org/en/jsr/detail?id=109">http://jcp.org/en/jsr/detail?id=109</a>.</p><p><a name="indexterm-2449"></a>Schema elements for web application deployment descriptors are discussed in this tutorial in the section <a href="bncbe.html#bncbj">Declaring Security Requirements in a Deployment Descriptor</a>.</p></li>
<li><p>Web components use a web application deployment descriptor named <tt>web.xml</tt>.</p><p>The schema for web component deployment descriptors is provided in the Java Servlet 2.5 Specification (JSR-154), section SRV.13, <i>Deployment Descriptor</i>, which can be downloaded from <a href="http://jcp.org/en/jsr/detail?id=154">http://jcp.org/en/jsr/detail?id=154</a>.</p><p>Security elements for web application deployment descriptors are discussed in this tutorial in the section <a href="bncbe.html#bncbj">Declaring Security Requirements in a Deployment Descriptor</a>.</p></li></ul>


<a name="bnbxg"></a><h4>Using Annotations</h4>
<a name="indexterm-2450"></a><a name="indexterm-2451"></a><a name="indexterm-2452"></a><p><b>Annotations</b> enable a declarative style of programming, and so encompass both the declarative
and programmatic security concepts. Users can specify information about security within a class
file using annotations. When the application is deployed, this information is used by
the Application Server. Not all security information can be specified using annotations, however. Some
information must be specified in the application deployment descriptors.</p><p>Annotations let you avoid writing boilerplate code under many circumstances by enabling tools
to generate it from annotations in the source code. This leads to a
declarative programming style, where the programmer says what should be done and tools
emit the code to do it. It also eliminates the need for maintaining
side files that must be kept up to date with changes in
source files. Instead the information can be maintained in the source file.</p><p>In this tutorial, specific annotations that can be used to specify security information
within a class file are described in the following sections:</p>
<ul><li><p><a href="bncbe.html#bncbf">Declaring Security Requirements Using Annotations</a></p></li>
<li><p><a href="bnbyl.html#bnbzd">Using Enterprise Bean Security Annotations</a></p></li></ul>
<p>The following are sources for more information on annotations:</p>
<ul><li><p><i>JSR 175: A Metadata Facility for the Java Programming Language</i></p></li>
<li><p><i>JSR 181: Web Services Metadata for the Java Platform</i></p></li>
<li><p><i>JSR 250: Common Annotations for the Java Platform</i></p></li>
<li><p>The Java SE discussion of annotations</p></li></ul>
<p>Links to this information are provided in <a href="bnbyj.html">Further Information about Security</a>.</p>

<a name="bnbxh"></a><h4>Using Programmatic Security</h4>
<a name="indexterm-2453"></a><a name="indexterm-2454"></a><p>Programmatic security is embedded in an application and is used to make security
decisions. Programmatic security is useful when declarative security alone is not sufficient to
express the security model of an application. The API for programmatic security consists
of two methods of the <tt>EJBContext</tt> interface and two methods of the servlet
<tt>HttpServletRequest</tt> interface. These methods allow components to make business logic decisions based on
the security role of the caller or remote user.</p><p>Programmatic security is discussed in more detail in the following sections:</p>
<ul><li><p><a href="bnbyl.html#bnbyn">Accessing an Enterprise Bean Caller's Security Context</a></p></li>
<li><p><a href="bncav.html">Working with Security Roles</a></p></li></ul>

         </div>
         <div class="navigation">
             <a href="bnbwy.html"><img style="padding-right: 3px" src="graphics/leftButton.gif" border="0"></a>
             <a href="sjsaseej2eet.html"><img style="padding-right: 3px" src="graphics/upButton.gif" border="0"></a>
             <a href="bnbxi.html"><img style="padding-left: 3px" src="graphics/rightButton.gif" border="0"></a>
         </div>

         <div class="copyright">
      	    <p>The material in The Java&trade; EE 5 Tutorial is <a href='docinfo.html'>copyright</a>-protected and may not be published in other works without express written permission from Sun Microsystems.</p>
      	 </div>

      </td>
   </tr>
</tbody>
</table>
</body>
</html>

